Author: Danielle Citron


Playing Fast and Loose with Genetic Information

According to the New York Times, Google co-founder Sergey Brin, in a recent blog post, shared the news that he has a gene mutation that increases his likelihood of developing Parkinson’s disease. According to Brin, studies show that his likelihood of developing the disease “in his lifetime may be 20% to 80%.”

What would possess Brin to disclose this sensitive personal information? The simple answer may lie in a crass attempt at advertising for his wife’s company, 23andMe, a biotechnology start-up that maps DNA for customers. In his blog post, Brin reported that 23andMe identified his gene mutation, a discovery that will allow him to “adjust his life to reduce” his chance of developing Parkinson’s and “support research into this disease” long before it affects him. (At a party, Brin told a New York Times reporter that he thought disclosing one’s DNA code to the public would be helpful to attract input from doctors who could suggest treatments, in a sort of open-source model). But for anyone else–a mere mortal who does not have the luxury of his wealth–such a disclosure would be foolish. Employers would no doubt view a person differently, even though the increased chance of developing the disease based on the gene mutation is so uncertain. His disclosure also sends the wrong signal to the easily influenced–one hopes that we do not see people announcing their potential diseases on Facebook or MySpace.


Flaws in the Election Assistance Commission


Senate Majority Leader Harry Reid recently appointed Barbara Simons to the Election Assistance Commission’s Board of Advisors, the federal body that sets voting technology standards for states that volunteer to be bound by them. As noted e-voting expert and computer scientist Professor Ed Felten explains, Simons is an accomplished computer scientist who will provide badly needed expertise on voting technology to the 37-member board. Before Simons’s appointment, none of the four board seats allocated for “professionals in the field of science and technology” had been filled.

Although appointing Simons is an important step in the right direction, more e-voting experts and technologists must be appointed and now. The EAC’s board is knee-deep in public hearings about the newest version of the Voluntary Voting Standards Guidelines (VVSG). This version of the VVSG—a massive 600 page document—has received serious criticism for its prescription of numerous contested requirements for voting technology that arguably hinder experimentation. The critics’ argument makes a tremendous amount of sense as rapidly-changing technologies are often best guided by standards that can accommodate rapid change. Professor Felten suggests that 10% of the board ought to be reserved for technologists. Even more technologists would be better as a central function of the EAC is the enhance accuracy and security of voting technologies. The majority and minority leaders of the House and Senate who appoint the board members should be seriously considering appointing e-voting experts, such as Professors Felten, Dan Wallach, and Avi Rubin for board membership.

IImage by Joebeone, from Wikicommons, under a CC-BY-2.5 license


What Comes Around Goes Around

Today’s New York Times reports that a 68-year-old broker stole over $600,000 from elderly clients and then lost most of his loot in an Internet fraud scheme. The broker received an email from someone claiming to represent his distant relative who had died and left him over eight million dollars. The broker took the bait and wired overseas more than $400,000, apparently believing that the money would aid in the release of the inheritance.

Despite the significant publicity devoted to exposing such scams, consumers continue to fall prey to email fraudsters in significant numbers. Reports suggest that 29% of Internet users have been deceived by spam emails. According to the Sydney Morning Herald, Australians lost $36 million dollars last year to fraudsters claiming affiliations with Nigeria. An intriguing new scam involves fraudsters who set up fake profiles on dating sites, stringing along targets for months before agreeing to meet and then asking for money to help pay for a plane ticket. Some, like the Nigerian High Commission, suggest that the deceived are as guilty as those who ask for money and thus should be subject to arrest as well. That sentiment may not convince many, but in the case of the New York broker who stole his clients’ life savings, the email scam is truly just deserts.


Shiller’s Subprime Solution

In his 2005 book Irrational Exuberance, Yale economist Robert Shiller predicted the once unthinkable, and now unfortunate present: the boom and bust in real estate that would have grave consequences both in the U.S. and globally. In his newest book The Subprime Solution, Shiller calls for sweeping reform to address the current crisis. Part of his answer is greater transparency through financial databases and disclosures. He also argues for a Financial Product Safety Commission to protect consumers of financial products and services, much in the same way that the Consumer Products Safety Commission sheds light on, and removes, unsafe consumer products. This transparency-enhancing argument recalls the important proposal for a Federal Search Commission made by Frank Pasquale and Oren Bracha in the most recent issue of the Cornell Law Review. Whatever the merits of Shiller’s numerous suggestions, one thing is certain: heightened transparency of financial products and services would provide significant benefits to consumer confidence and the industry itself.


Fairfax on “Too Big to Fail”?

Over at the Conglomerate, Lisa Fairfax has a superb post on the current bailout crisis entitled “Too Big To Fail”? She writes:

“A dominant theme in the recent discussions of the bailouts is that certain entities are “too big to fail.” This got me thinking about the notion of “too big to fail” and its ramifications. In particular, I wonder whether and to what extent we need to pay closer attention to companies that are “too big to fail” going forward. A few questions come to mind. When people say that a company is too big to fail, does that really mean that a company is simply “too big”? If so, does that mean that we need to do more to encourage smaller companies, or at the very least do more to discourage large companies or companies that are intertwined with too many industries? Does it mean that these larger companies simply need to be broken apart, much in the way that we demanded AT&T break off into the baby bells. Alternatively, is there some value with ensuring that companies do not get “too big” in the sense that companies should be discouraged from having their tentacles in so many critical and multi-faceted operations that they play a pivotal role in the healthy operation of our markets, even if it does not have anti-trust implications? In other words, if a company is too big to fail, should we have taken steps to prevent these companies from getting so big, and presumably so important, to our economic health? And if so, should this be a focus for the future?

On the other hand, let’s assume that we are not prepared to discourage the growth of “too big” corporations. Perhaps then we need to take seriously increased regulation for such companies. Indeed, perhaps our current governance system is not equipped to monitor these companies. Moreover, if certain companies are so crucial to our economic health that we cannot permit them to fail, then it seems that we have an important interest in knowing as much as we can about those companies—and potentially more than we know about other companies. Enhanced disclosure and transparency not only would help us in times of crisis, but it would allow us to take preventative steps to combat problems before they arise. To be sure, some may contend that these companies are already heavily watched, while others may resist increased oversight of particular entities within the corporate world. But perhaps enhanced oversight is the price these “too big” companies must pay once we acknowledge that their continued existence is critical to our markets.”

Because the politicians have been saying that companies like Lehman were “too big” for the government to let fail, and because the news is awash in this talk, I thought that the readers here would benefit from Fairfax’s discussion.


Here Now and Soon Gone

Government accountability may be more of a slogan than a reality if agencies continue to fall down on their recording-keeping obligations. According to the New York Times, countless federal records have been irretrievably lost because federal employees regularly fail to preserve the documents they create on government computers, send by email, and post on agency websites. The EPA’s website, for instance, lists more than 50 broken links that once connected readers to documents on depletion of the atmosphere’s ozone layer. At least 20 documents have been removed from the website of the U.S. Commission on Civil Rights, including a draft report that was highly critical of the Bush Administration’s civil rights policies. Because federal agencies increasingly publish reports on the Web rather than on paper, and because agencies do not store records in a centralized manner, government records will simply disappear over time. Moreover, a recent GAO report notes that email records of senior officials at several large agencies were not consistently preserved. Those government records can never be checked.

The National Archives is in the early stages of creating a permanent electronic record-keeping system. Unfortunately, it is behind schedule and under budget. Although the House passed a bill in July that would require agencies to preserve more electronic records, President Bush has threatened to veto the bill on the grounds that it would “interfere with a president’s ability to carry out his or her constitutional and statutory responsibilities.” Government officials and employees who have not adhered to federal record-keeping rules likely will not start now, especially with the turnover in administration looming. Government records needed to assure accountability should not be here now and soon gone.


Harnessing the Wisdom of Crowds to Spot Spin

According to Business Week, this month marks the birth of Spinspotter, a website that lets users identify and discuss phrases in news stories that smack of bias. The website owner, a former Microsoft executive, will generate income by selling advertisements connected to the bias-infected new stories identified by users. For instance, Toyota might want to hang Prius ads around the phrase “gas guzzler.” Or Microsoft and Apple might want to buy ad space next to a news article that deems Windows Vista a “bug-filled failure.”

This is an intriguing, and mischevious, combination–users expose media bias (or its gullibility to spin doctors) while spin doctors append ads to win back or capture those cynical eyeballs. Given the site’s construction around key phrases, bias accomplished through silence may be missed. So often, media outlets emphasize the positive in politicians and industry such that the lack of criticism reveals a bias worthy of the SpinSpot treatment. But if crowds are indeed wise, they may find a way to highlight those bias-filled silences.


The Inability to Opt Out of DPI (or Why the Marketplace Cannot Cure Paul’s Worries)

Some might respond to Paul’s Ohm’s terrific article, The Rise and Fall of Invasive ISP Surveillance, by suggesting, as network providers do, that the marketplace will sort out our privacy concerns about Deep Packet Inspection practices because consumers can opt out of DPI tracking of their online life with a single click. Optimism about a proper functioning marketplace, however, is misplaced for several reasons. First, as Arstechnica reports, network providers bury notice of their inspection practices in densely worded privacy policies and do not email users to note the change in policy. Thus, a basic information asymmetry problem arises—consumers cannot reasonably be expected to know about, and protect themselves from, opaque practices. Second, even if consumers opt out of the creation of behavioral profiles for use in delivering ads, they may not be opting out of the copying of their traffic. And, third, as Dr. David Reed testified before the Subcommittee on Telecommunications and the Internet, even if some network providers switch to an opt-in approach or reject DPI entirely, consumers cannot totally control the use of DPI technologies by those with whom they communicate, thus rendering consumer choice illusory. Thus, the privacy concerns that Paul raises likely are not self-correcting.


Is LinkedIn a Bad Idea for Employers?

On LinkedIn, users connect with colleagues, clients, and friends, providing information about their professional specialties in the hopes of generating business opportunities. Although that social networking site and others like it may help organizations and their employees build client rosters, they also provide crucial information to hackers who use it to prey upon an organization’s employees and fool them into downloading malware into their system. With the Google search of “at site:” and a company’s name, an attacker can view a list of public LinkedIn profiles of individuals working at the company, their positions, and potentially a list of their closest colleagues. An attacker who knows the email address formatting conventions within a company would in turn know the email address of many potential victims.

Consider this example. An attacker learns that two employees with an organization, Jonathan and Nate, are friends. The attacker might send Jonathan an email purporting to be from Nate. The text of the message might say, “Jonathan, I would love your thoughts on this power point I put together for my upcoming conference. Best, Nate.” If the attacker can persuade Jonathan to open the email, the attacker can gain power over that user to spread malware that could raid the employer’s digital treasure chests of valuable information.

Markus Jakobsson offers advice on how to combat this problem. Employers could insist that employees do not maintain public profiles of their social networking sites. They could educate employees about the tactics used by attackers. Better spam filtering would make it harder to reach the potential victims, and good antivirus protection from an established vendor that provides regular, reliable updates may effectively block many dangerous attachments.


Agent Mulder Redux

Arstechnica reports that the U.K.’s National Hi-Tech Crime Unit will be producing to the United States government a British citizen who allegedly infiltrated computer systems run by the United States military and numerous federal agencies, including the Pentagon. It appears that the British hacker was searching for proof of “alien life.” U.S. Attorney Paul McNulty of the Eastern District of Virginia intends to pursue charges under the Computer Fraud and Abuse Act, which could result in serious jail time and significant fines.

Computer hacking to steal credit cards, trade secrets, and other valuable information is widespread. Although the pursuit of computer crimes has been slow to evolve, this extradition request and the recent arrest of 11 members of an international identity theft ring that stole 41 million credit and debit card numbers may signal to would-be hackers that they face the real risk of prosecution. It would be heartening to see the Department of Justice put its resources behind pursuing hackers who inflict serious financial and personal harm. Perhaps we could call any uptick in such prosecutions as the Mulder Effect.